Solved: Hi Benjamin,

Benjamin Krueger · ‎10-26-2015

Hello!

I have a question about LDAP authentication with applications that are connected via AXL through an SSO enabled CUCM 10.5.

Short description about environment.

We have an SSO enabled CUCM 10.5 with SAML 2.0 integrated ADFS from Microsoft. SSO is working very good, really great solution in my opinion :).

Now we have applications like UCCX 10.6 (and other like ANDTEK) that doesn't Support SSO, so they are still connected to AXL and want an authentication for user access.

So how will the authentication work with CUCM? Will the CUCM use the LDAP authentication (System -> LDAP -> LDAP authentication) or did he try SSO connection to ADFS?

At the moment only local user of CUCM can get acces to UCCX and ANDTEK not LDAP synchronized... That's why I ask so how is the authentication work, so I can look which troubleshooting I can do.

Hope you can help me!

best regards

Benjamin

Eike Scholz-Janotte · ‎10-30-2015

Hi Benjamin,

not sure how UCCX authnticate users against CUCM but I know that there is also an AXL User needed which does the autnetication as far as I know.

Not sure why Andtek should only authticate local users from CUCM since Andetek also using AXL.

AXL has a method to authenticate users on the basis of pin or password. This is done by "DoAuthenticateUserReq". What CUCM is doing with this request is another story but it shouldn't make a difference if it is a local user (check password against CUCM database) or synced user (CUCM check against LDAP).

There is no method to do a SSO against CUCM since CUCM is not the identity provider.

Most people think everyone can use Cisco SSO also for other application but thats not true. ADFS and SSO is quite a complex thing behid the scenes since you need specific Claim Rules to get a token back. Why should a user get access to a 3rd party application just because the user is authenticated against CUCM.

SSO works the same as you may login with your google ID or Facebook ID into tripadvisor. There must be a trust between the systems. So tripadvisor trust the token given by facebook but that doesnt that you can access your doodle account because you have a token from facebook. In that case doodle need to trust facebook.

So in general CUCM with all its websites trust AD (ADFS) so that you do not need to login for all the CUCM and IM&P sites. But you still need to authenticate for other applications.

I guess you are from germany so maybe it is a good idea to read that article http://www.faq-o-matic.net/2014/04/02/adfs-grundlagen-und-architektur/

It explains it very well how SSO or ADFS works.

Eike

View solution in original post

Chris Deren · ‎10-30-2015

In short since you already have LDAP integration on CUCM that is extended to CCX via AXL, users when logging into Finesse will be prompted for username and password which is their AD credentials.

View solution in original post

Eike Scholz-Janotte · ‎10-30-2015

Hi Benjamin,

not sure how UCCX authnticate users against CUCM but I know that there is also an AXL User needed which does the autnetication as far as I know.

Not sure why Andtek should only authticate local users from CUCM since Andetek also using AXL.

AXL has a method to authenticate users on the basis of pin or password. This is done by "DoAuthenticateUserReq". What CUCM is doing with this request is another story but it shouldn't make a difference if it is a local user (check password against CUCM database) or synced user (CUCM check against LDAP).

There is no method to do a SSO against CUCM since CUCM is not the identity provider.

Most people think everyone can use Cisco SSO also for other application but thats not true. ADFS and SSO is quite a complex thing behid the scenes since you need specific Claim Rules to get a token back. Why should a user get access to a 3rd party application just because the user is authenticated against CUCM.

SSO works the same as you may login with your google ID or Facebook ID into tripadvisor. There must be a trust between the systems. So tripadvisor trust the token given by facebook but that doesnt that you can access your doodle account because you have a token from facebook. In that case doodle need to trust facebook.

So in general CUCM with all its websites trust AD (ADFS) so that you do not need to login for all the CUCM and IM&P sites. But you still need to authenticate for other applications.

I guess you are from germany so maybe it is a good idea to read that article http://www.faq-o-matic.net/2014/04/02/adfs-grundlagen-und-architektur/

It explains it very well how SSO or ADFS works.

Eike

Chris Deren · ‎10-30-2015

In short since you already have LDAP integration on CUCM that is extended to CCX via AXL, users when logging into Finesse will be prompted for username and password which is their AD credentials.

Benjamin Krueger · ‎10-31-2015

Hi Eike, Hi Chris!

Yes your both right, they using different ways for authentication.

1.) SSO only between CUCM and IdP (ADFS)

2.) LDAP authentication over CUCM from UCCX and Third-Party applications.

It is now working. The issue was that I have a problem with certificates and fgdn name of LDAP servers. With TAC SR and the command "utils ldap config ipaddr" we forece to use IP address instead of fqdn when using LDAP authentication and know it looks like that it is working. Not sure why the certificates in my trust-store didn't worked with fqdn.

Thanks alot for your replay and your help :)!

best regards

Benjamin

Chris Deren · ‎10-31-2015

Interesting...

Is the certificate on the LDAP server issued against it's IP address instead of FQDN? That would be the only logical explanation.

SSO and AXL Authentication against LDAP